DE102004040059A1 - Method and device for safety-related wireless signal transmission - Google Patents

Abstract

The invention relates to an easily implementable method for safety-related wireless signal transmission and to an associated device (15), the latter comprising a source unit (16) and a sink unit (17) connected thereto via a wireless transmission link (13). It is provided that an input signal (S¶E¶) is duplicated on the source side and each copy (S¶K1¶, S¶K2¶) of the duplicated input signal (S¶E¶) is duplicated on a separate, independent software path (29, 30) Transmitter module (25) is supplied, that all copies (S¶K1¶, S¶K2¶) are transmitted from the transmitter module (25) via the common wireless transmission link (13) to a receiver module (25) of the sink unit (17) at the bottom, each transmitted copy (S¶K1¶, S¶K2¶) is fed separately to a comparator module (41) on an independent software path (37, 38), and by means of the comparator module (41) the output copies (S¶K1¶, S ¶K2¶) are tested for their consistency, wherein in the case of consistency by the comparator module (41) a copy (S¶K1¶, S¶K2¶) corresponding output signal (S¶A¶) is generated.

Description

The The invention relates to a method for safety-related wireless signal transmission, in particular for transmission a safety-related control signal in a medical Diagnostic or therapy facility. The invention further relates to a device for carrying out of the said method.

When Signal is generally one with electrical, electronic or transmitted electromagnetic means Information, in particular one from a command generator to a plant control issued control command called. As security relevant such a signal is then designated if warranted for safety reasons must be that a faulty transmission of the signal is excluded is or at least recognized. A signal is especially then to be regarded as safety relevant, if from a faulty signal transmission the risk of damage of objects or injury to persons.

at a medical diagnostic or therapeutic facility, e.g. one X-ray equipment, are usually a number of safety-related signals transferred to. For example, the control of the X-ray source of the system and the Control of the motor system of a patient table associated with the system such safety-related signals a risk of injury for to be able to exclude the treated patients and the operating personnel ensured be that the x-ray or the motor system of the patient table according to those of the operating personnel triggered Control commands is controlled and that in case of failure of signal transmission the X-ray source or the motor skills immediately be put into a safe state.

So far a safety-related signal is usually transmitted by cable. To increase the Safety is common the signal is redundant, i. to transmit in parallel over several independent signal channels. Sometimes mixed transmission structures are used, in which a transmitted in a signal channel sub-signal in the form a software telegram is transmitted, while another signal channel as a simple physical cable connection is trained. On the first signal channel, for example, a specific function selection (e.g., lift patient table), while over the second signal channel a general release of the device engine (e.g., release of the motor voltage).

Around with wireless signal transmission to meet comparable safety requirements, is here too the transmission structure conventionally redundant, e.g. by two independent Infrared transmission links executed. wireless Signal transmission devices those for transfer safety-relevant signals is suitable, in particular this reason usually comparatively expensive structured.

Of the Invention is based on the object, an easy to implement Specify a method that is as possible secure signal transmission allows. The invention is further based on the object, one for carrying out the Specify method particularly suitable device.

Regarding the Method, the object is achieved by the features of the claim 1. Regarding the associated Device, the object is achieved by the features of the claim 6th

According to the invention, it is provided to duplicate an input signal and one each through this duplication generated Ko pie of the input signal in a uriabhängigen software path a source unit. Within the source unit is each copy of the input signal separately on the associated software path a common transmitter module supplied, which all copies together via a wireless transmission link to a receiver module a sink unit transmits. Within The sink unit will turn each copy received on one independent Software path supplied to a comparator module, which copies the checked their mutual consistency and in the Consistency case an output signal corresponding to the content of the copies outputs.

When consistent with each other then different copies are detected if they correspond to the same signal, i. the same information contain.

The software path is a software module or a number of mutually dependent software modules, in the course of which or a signal is logically forwarded, where appropriate, the external form of the signal is processed in one or more of the software modules. As independent from each other, two software paths are designated when no module of the one software path is in communication with a module of the other software path. Due to the independence of the parallel software paths implemented in the source unit or in the sink unit, it is particularly precluded that a software path is processed during execution an error that affects the signal transmission in a parallel software path.

As a result the duplication of the input signal into multiple copies, the leadership of this Copies on independent Software paths and the final one Comparison of the transmitted Copies is one complete redundant signal transmission guaranteed whereby any transmission errors be detected with high security. In particular, this is the invention single-rail Execution of the actual wire loose transmission link without Security loss feasible, which in turn comparatively simple hardware construction of the device allowed. The procedure and the associated Device are thus at high security and low risk of failure easy, and thus in particular to realize low cost.

In a preferred embodiment it is envisaged that in each software path of the source unit the guided on this path Copy of the input signal by generating a test information associated with the copy and that in each software path the sink unit the copy based on the source-generated test information for transmission errors checked becomes. As test information In particular, a so-called CRC (Cyclic Redundancy Code), in particular a 32-bit CRC. By the source side Generation of the check information and their sink-side review will be In particular, the advantage that achieves the actual wireless Signal transmission, i.e. in particular to the transmitter or receiver module used, no safety requirements have to be made. It can therefore wireless transmission systems any technology and any manufacturer can be used without the security of the signal transmission in general.

Of the Source unit, the input signal is expediently by a signal line, i.e. a cable connection supplied. The signal line is in this case designed in particular several times, ie includes prefers several signal channels, over each of which a partial signal of the input signal can be fed. Every partial signal In this case corresponds in particular to a binary switching state.

The Duplication of the input signal is advantageously carried out hardware side by adding each signal channel to the signal line respectively connected to a port of each software path of the source unit is. As a port, this is generally a binary input and / or output interface of a host controller of the source sink unit over which a software path implemented in the corresponding host controller reads in or outputs a signal value. Preference is given to each source or Lower side implemented software path a corresponding number assigned to such ports.

includes the input signal a plurality of sub-signals, these are these sub-signals expediently in different order on ports of a first software path and corresponding ports of a parallel second software path placed. Different copies of the input signal receive the sub-signals of the input signal consequently - measured a given port order - in differently permuted Shape. Through this permutant duplication of the input signal in the different parallel software paths is the detection a software-related faulty transmission makes it easier, especially since any one has the same effect on all software paths Software error the corresponding sub-signals of the permuted Would copy with high probability in different ways would falsify.

When Further protection against hidden software errors is advantageous provided that different parallel software paths of the source unit or sink unit are respectively diversified to each other, i. on different Software based. This means in particular that two each other in terms of their function corresponding software modules different Software paths are executed differently.

additional Security over Software errors is preferably further achieved by the Comparator module is designed as a hardware comparator, i. on a non-programmable electronic circuit is based.

advantageously, If the comparator module is designed such that, in the case of inconsistency, i.e. if two corresponding copies are not consistent with each other be detected, an output signal that outputs a safe state the controlled system causes.

Around the risk of a transmission error in the area of the wireless transmission link to minimize is expediently provided within the source unit from the various software paths supplied Copies for joint transmission to the sink unit in a transmission frame Data structure of a given form, this transmission frame optionally also contains the optionally generated test information. Additionally or Alternatively, to secure the individual copies is preferred here also the backup of the entire transmission frame provided by source-side generation of an associated check information and its sink-side check.

In advantageous structural design of the hardware components The device comprises both the source unit and the Sink unit one controller board each with a host controller, on which the software assigned to the corresponding unit is implemented, as well as with the transmitter module or receiver module. Preferably, this comes as a combined transmitting / receiving component trained radio module on the one hand as a transmitter module of the source unit and, on the other hand, as a receiver module the sink unit used. This allows in particular, a respect the hardware used identical controller board for both the source unit as well as the sink unit, whereby the with the production the device associated production costs significantly reduced becomes. The different specification of the controller board as part of the source unit or sink unit here only by different software configuration as well by different connection of the controller board.

In a reasonably priced one feasible and expedient execution as a radio module source and sink side each one with the Bluetooth standard compatible radio module used.

to Control of the hardware function of the host controller is this expediently a monitoring module (a so-called watch-dog) assigned. This monitoring module is in periodic intervals supplied by the host controller, a trigger signal. If the trigger signal remains off, or the trigger signal does not become in the predetermined time interval delivered, then recognizes the monitoring module a malfunction of the host controller and sets this by a Reset command back to a defined initial state. The monitoring module is preferably provided on both the source side and the lower side, especially on the respective controller board of the sink unit and source unit integrated.

Additionally or Alternatively, the sink unit is assigned a further monitoring module, the also by the host controller of the sink unit a periodic Trigger signal supplied becomes. This monitoring module acts directly on the comparator module and induces this at a detected malfunction of the host controller by issuing a corresponding output signal a safe state of the driven Plant cause.

Further advantageous embodiments of the invention will become apparent from a Below described with reference to a drawing embodiment of the Invention. Show:

1 in a schematic block diagram of a technical, in particular medical technology system with a commander and a system controller interposed device for wireless transmission of a safety-relevant control signal,

2 in a schematic block diagram of a source unit and a device connected thereto via wireless transmission link sink unit according to 1 .

3 in a schematic flowchart according to a software configuration of the source unit according to 2 .

4 in a data structure diagram, the structure of a transmission frame used for transmitting information from the source unit to the sink unit; and

5 in a schematic flowchart according to a software configuration of the sink unit 2 ,

each other corresponding parts and sizes are always provided with the same reference numerals in all figures.

1 shows a rough schematization of a technical, especially medical technical system 1 , At the plant 1 For example, it is a medical X-ray system. The attachment 1 includes a plant part to be controlled 2 , which is, for example, a motor drive for adjusting a patient table (not shown).

For controlling the system part 2 includes the facility 1 designed as a key switch commander 3 , by the actuation of which a user triggers a safety-relevant control signal S. The control signal S comprises two part of the commander 3 parallel and redundant as electrical switching states output partial signals S1 and S2. The sub-signal S1 represents a function selection, eg the control command "raise table" and is a control computer 4 a plant control 5 fed. The control computer 4 After appropriate evaluation, the partial signal S1 in the form of a software telegram is sent to a function generator 6 the plant control 5 from this, in turn, a corresponding supply voltage V for driving the plant part 2 generated.

For safety reasons, the plant part 2 and the function generator 6 a safety switch 7 interposed, the over a free reproducing circuit 8th the second part signal S2 is supplied in the form of a switching state. The sub-signal S2 acts as an enable signal by activating a release of the supply voltage V by the safety switch 7 triggers, whereas the safety switch 7 the plant part 2 forcibly shuts off when the sub-signal S2 is deactivated. The release line 8th is as physical cable connection to the plant control 5 passed to the safety shutdown caused by the sub-signal S2, regardless of the proper function of the plant control 5 to ensure. Proper functioning of the release line 8th in turn will have a supervision connection 9 from the control computer 4 supervised.

As additional security function is the plant 1 still an emergency off switch 10 assigned, via a switching line 11 directly on the safety switch 7 acts by locking it on actuation and thus by forced shutdown of the system part 2 the attachment 1 put in a safe state.

The commander 3 is part of a mobile controller 12 , in particular a portable remote control and is so far with the plant control 5 only via a wireless transmission link 13 connected. For transmission of the control signal S via this wireless transmission path 13 includes the facility 1 a device 15 , The device 15 is formed from a the control unit 12 associated source unit 16 as well as from a fixed with the plant control 5 connected sink unit 17 , The signal S to be transmitted becomes the source unit 16 from the commander 3 via a signal line 18 supplied as input signal S _E. The signal line 18 includes two signal channels 19 and 20 each of which carries one of the sub-signals S1 and S2, respectively. Between the source unit 16 and the sink unit 17 Here is the wireless transmission link 13 clamped. The system control 5 or the safety switch 7 from the sink unit 17 supplied control signal S is hereinafter also referred to as an output signal S _A.

As in particular from 2 indicates that both the source unit 16 as well as the sink unit 17 one controller board each 23 , on each of which a host controller 24 and a wireless module operating in Bluetooth technology 25 are constructed. The controller board 23 also contains a monitoring module 26 ie, a so-called watchdog, for monitoring the host controller 24 ,

That of the source unit 16 assigned controller board 23 and the sink unit 17 assigned controller board 23 are identically constructed from the standpoint of the hardware used. In particular, the radio module 25 a combined transmitting / receiving component and is used on the one hand source side as a transmitter module and on the other hand, the sink side as a receiver module. The source or sink side specification is given to the respective controller board 23 by different software configuration described in more detail below and by a different connection, each via a source-specific or base-specific base board 27 takes place on which the respective controller board 23 is constructed.

In order to be able to reliably detect any transmission errors of the control signal S, the control signal S is transmitted in two independent, ie logically separated, paths along the path through the device 15 established transmission path. For this purpose, the input signal S _{E is} first duplicated and in the form of two copies S _K1 , S _K2 in the source-side host controller 24 read. For logically separate processing and forwarding of the respective copy S _K1 or S _K2 are in the Hostcont roller 24 two independent software paths 29 and 30 implemented in the scheme according to 2 as delimited areas of the host controller 24 are indicated. Every software path 29 respectively. 30 are a number of ports 31a . 31b respectively. 32a . 32b of the host controller 24 assigned via which a binary signal value in the respective software path 29 respectively. 30 can be read.

The duplication of the input signal S _E is carried out by both the first signal channel carrying the sub-signal S1 19 as well as the second signal part S2 leading second signal channel 20 the signal line 18 with one port each 31a . 31b the first software path 29 and another port 32a . 32b the second software path 30 are connected. This duplication of the input signal S _E on the hardware side has the advantage of a comparatively high level of error safety, since in this way a software-defective signal duplication is fundamentally excluded.

How out 2 can be seen, the sub-signals S1 and S2 in opposite directions in the software paths 29 respectively. 30 fed. Specifically, the first port 31a the software path 29 with the sub-signal S1 and the second port 31b occupied with the sub-signal S2, while the corresponding ports 32a respectively. 32b the software path 30 opposite to the sub-signals S2 and S1 are occupied. This ensures that the two copies S _K1 and S _{K2 of} the input signal S _E in different bit order on the software paths 29 and 30 which provides additional security in terms of software-related transmission errors.

Within each software path 29 and 30 is the associated copy S _K1 or S _K2 on Secured in the manner described in more detail below against transmission errors. Both copies S _K1 , S _K2 are then via a module 35 by which the copies S _K1 and S _{K2 are} "packaged" in a common transmission frame R, the source side radio module 25 zugelei tet and of this via the wireless transmission link 13 together to the radio module 25 the sink unit 17 transmitted.

The sinkside radio module 25 routes the transmitted copies S _K1 , S _{K2 to} the sink-side host controller 24 to. There, the transmitted copies S _K1 , S _K2 in a module 36 separated again and each one of two independent software paths 37 respectively. 38 fed. There, each copy S _K1 or S _{K2 is} tested for transmission errors in the manner described in more detail below, and if correctly transmitted via the respective software path 37 or 38 assigned ports 39a . 39b respectively. 40a . 40b the sink-side host controller 24 a downstream comparator module 41 fed.

Is inside the device 15 If no transmission error has occurred, both copies S _K1 and S _K2 must be identical copies of the input signal S _E except for the planned sequence of the sub-signals S1 and S2. In particular, the same sub-signal S1 or S2 must always have the same value for both copies S _K1 and S _K2 . This consistency condition is used in the comparator module 41 checked. The comparator module 41 is in this case designed as a hardware comparator, ie as a non-programmable electronic circuit, in order in turn to rule out a software-related malfunction in principle. If the copies S _K1 and S _{K2 are} recognized as consistent, then the comparator module gives 41 a (identical) content of the copies S _K1 , S _K2 corresponding output signal S _A to the plant control 5 from. In the case of inconsistency, the comparator module generates 41 an output signal S _A , which is the plant 1 put in the safe state.

As an added security measure, the proper functioning of both the source-side and sink-side host controllers 24 through the respectively assigned monitoring module 26 continuously monitored. For this purpose, the monitoring module 26 through the associated host controller 24 supplied at predetermined time intervals periodically a trigger signal T. If this trigger signal T remains off or does not occur in the predetermined cycle, the monitoring module activates 26 a reset port 42 of the respective host controller and thereby sets the host controller 24 back to a defined initial state.

To protect against a dangerous hardware failure of the host controller 24 is the sink unit 17 provided with a second, external Abschaltweg. This includes another monitoring module 43 also from the sink-side host controller 24 is supplied with a trigger signal T. The monitoring module 43 acts, in contrast to the monitoring module described above 26 , not on the host controller 24 back, but directly to the comparator module 41 , In case of error, the monitoring module leads 43 the comparator module 41 a shutdown signal A to, which is the comparator module 41 caused by issuing a corresponding output signal S _A the system 1 into the safe state.

Proper functioning of the comparator module 41 will continue from that of the sink unit 17 associated host controller 24 monitored continuously or at periodic intervals. The host controller 24 is for this purpose a supervision sport 44 with the comparator module 41 connected. The corresponding supervision sport 44 the source-side host controller 24 is for monitoring the power supply of the source unit 16 used. This is useful, especially since the source unit 16 or the control unit 12 over one of the remaining plant 2 independent power supply 46 , in particular a battery or a rechargeable battery. Represents the host controller 24 a critical condition of this power supply 46 fixed, it notifies the user, for example by controlling (not explicitly shown) optical and / or acoustic display elements of the control unit 12 , Optionally, it is provided that the host controller 24 In this case, a risk-triggered function trigger under these circumstances continues to be denied and / or a safe state of the system 1 causes.

The software configuration of the source-side host controller 24 is in 3 explained in more detail with reference to a simplified flowchart. The modules introduced here 50 - 55 . 63 . 64 Designate functional components of a software, which are executable in a predetermined time sequence, and thus also represent process steps of the executed by the software method. The same applies to the in 5 introduced modules or routines 70 - 89 ,

In 3 it can be seen that the parallel software paths 29 and 30 in each case two sequentially successive modules 50 and 51 respectively. 52 and 53 include. Through the first module 50 the software path 29 become the at the ports 31a and 31b The signal values of the sub-signals S1 and S2 of the copy S _{K1 which are present} at the time of interrogation are read in. The read-in signal values are bitwise compared with corresponding, last read-in signal values. In particular, this determines whether this is the case of a read port 31a . 31b adjacent partial signal S1, S2 an unchanged pas siven ("0") or active ("1") signal value, or whether a signal change "0->1" or "1->0" has occurred between the current and the previous read-in time. Subsequently, by the following module 51 a 32-bit CRC corresponding to the read-in signal values of the copy S _K1 is calculated, which is assigned to the copy S _K1 as associated check information I _K1 , in order to be able to detect possible transmission errors on the lower side.

The module 52 the parallel software path 30 corresponds in terms of its function to the module 50 and reads accordingly at the assigned ports 32a and 32b applied signal values of the sub-signals S2 and S1 of the copy S _K2 . Through the functional module 51 appropriate module 53 An associated CRC is assigned to the copy S _K2 as check information I _K2 .

It is essential that the software paths 29 and 30 are independent, that is between the modules 50 and 51 on the one hand and the modules 52 and 53 On the other hand, no data exchange takes place, so that a possible software error of one of the software paths 29 and 30 not on data transmission and data processing in the other software path 29 . 30 can affect.

To further reduce the risk of an undetected software-related transmission error, the software paths are 29 and 30 also diversified. This is understood to mean that at least one of the modules 50 or 51 the software path 29 on a different software, in particular on a different program code, is based as the functionally appropriate module 52 respectively. 53 the second software path 30 ,

After securing both copies S _K1 and S _K2 is by a module 54 checked whether a radio transmission to the sink unit 17 should be done. The module checks as criteria for initiating a radio transmission 54 whether the read-in copies S _K1 and S _K2 correspond to one another with regard to the signal values of the sub-signals S1 and S2. If necessary, the module checks 54 whether at least one sub-signal S1 or S2 is active ("1") or whether in at least one sub-signal 51 . 52 a signal change "1->0" has taken place. In the former case (S1 = "1" OR S2 = "1") the module checks 54 furthermore, whether a repetition interval of approx. 50 ms has elapsed since the last radio transmission. The latter condition is checked by means of a query as to whether a corresponding send repetition timer t _{Q has} expired, ie whether the condition [t _Q = 0]? is satisfied.

If the above test criteria are met, the module activates 54 a subsequent module 55 , Otherwise, the module activates 54 the modules 50 and 52 to repeat the read-in process.

Due to the hardware-side duplication of the input signal S _E is located at the ports 31a and 32b respectively. 31b and 32a the same signal value at all times. Program-related are the ports 31a . 31b . 32a . 32b but sequentially, ie read at a short time interval. As a result, it may happen that, during a signal change occurring during the read-in process, different signal values of one or both component signals S1 and S2 into the respective software paths 29 and 30 be read. Such functionally predictable information discrepancy between the copies S _K1 and S _K2 is determined by the module 54 not in the sense of a transmission error. Rather, the read-in process is simply repeated in this case.

On the other hand, if a payload satisfying the above test criteria is present, then the read-in copies S _K1 and S _K2, together with the respective associated check information I _K1 , I _K2 , are read by the module 55 summarized in a common transmission frame R. As a transmission frame R here a fixed data structure is designated, whose structure in 4 is shown schematically. The transmission frame R then comprises a header segment, also referred to as a header 56 a given bit length, a serial number and a radio module 25 the sink unit 17 assigned recipient address contains. On the head segment 56 follow two data segments 57 and 58 predetermined bit length, of which the former contains the copy S _K1 and the latter the associated check information I _K1 . To the data segment 58 in turn closes a separation segment 59 which contains a characteristic value, in particular "0x00". On the separation segment 59 in turn follow two data segments 60 and 61 containing the content of the copy S _K2 or the associated check information I _K2 . To the data segment 61 closes a final segment 62 which in turn contains a characteristic value, in particular "0xFF".

As an additional security measure, the entire transmission frame R is passed through the module 55 again secured by calculation of the associated 32-bit CRC as check information I _R.

After creation of the transmission frame R and calculation of the associated test information I _R is by a module 63 the retransmission timer t _Q started. Subsequently, by a module 64 the transmission frame R together with the associated test information I _R the radio module 25 forwarded for transmission. Subsequently, the read-in process is started again.

Due to the software configuration according to 3 In particular, it is achieved that an active sub-signal (S1 = "1" OR S2 = "1") as long as it is connected to the source unit 16 is present at periodic intervals, which are predetermined by the expiration time of the retransmission timer t _q repeatedly to the sink unit 17 sent and thus continuously confirmed. In this way, for the duration of the active signal state, a continuous function control of the source unit 16 given. In particular, it is thus possible to prevent an active signal state in the case of a possible breakdown of the source unit 16 is maintained incorrectly on the lower side. On the other hand, an explicit termination of an active signal state (S1 = "1->0" OR S2 = "1->0") immediately, in particular regardless of the state of the retransmission timer t _Q , to the sink unit 17 forwarded.

Those in the sink-side host controller 24 Implemented software configuration is described below using an in 5 illustrated flowchart illustrates. After that is through a module 70 Checks if data from the sinkside radio module 25 received and the sink-side host controller 24 were forwarded. If necessary, a module determines 71 by checking the receiver address, the serial number and the check information I _R , whether the received data packet corresponds to an expected transmission frame R and whether it has been transmitted correctly. If necessary, the module activates 71 another module 72 , Otherwise the module starts 71 an error handler 73 ,

The module 72 separated from a correctly recognized transmission frame R copies S _K1 , S _K2 and the respective associated test information I _K1 , I _K2 and forwards the copy S _K1 together with the associated test information I _K1 a module 74 the software path 37 to. The copy S _K2 is analogous together with the associated check information I _K2 a module 75 the software path 38 fed.

Through the modules 74 respectively. 75 a check is made as to whether the respective copy S _K1 or S _{K2 has been} correctly transmitted, ie is consistent with the respectively associated check information I _K1 or I _K2 . If necessary, the module activates 74 a module 76 or the module 75 a module 77 , Otherwise, that module activates 74 respectively. 75 detecting a transmission error, an error handling routine 78 ,

When activated, the module starts 76 respectively. 77 an associated reception repetition _timer t _S1 or t _S2 . The activation of the reception repetition _timer t _S1 or t _S2 indicates that, at or until the activation time, an active signal state S1 = "1" OR S2 = "1" in the corresponding software path 37 respectively. 38 present. The reception repetition timer t _S1 or t _S2 defines a time expectation for a next incoming data packet that confirms or aborts this signal state. If no valid data packet is received within this time expectancy, an error is detected and accordingly a safe state of the system 2 brought about.

To 3 the reception of a signal confirmation or a signal abort within the expiration time of the retransmission timer t _{Q is} to be expected. The time expectation given by the expiration time of the reception repetition timers t _S1 , t _S2 is 100-150 ms and is thus chosen to be greater than the expiry time of the retransmission timer t _Q , in order to possibly bridge a single lost radio transmission without triggering an error.

After starting the respective reception repetition _timer t _S1 , the module activates 76 a subsequent module 79 through which the sub-signals S1 and S2 of the copy S _K1 to the ports 39a respectively. 39b be read out. Likewise, by the module 77 a subsequent module 80 activated, by which the sub-signals S2 and S1 of the copy S _K2 to the ports 40a respectively. 40b be read out.

The process steps described below serve for the continuous control of the sink side host controller 24 output signal values. This is done by a module 81 the software path 37 and a corresponding module 82 the software path 38 checks whether the respective reception repetition _timer t _S1 or t _{S2 is} still running. If necessary, by the module 83 respectively. 84 the at the respective ports 39a . 39b respectively. 40a . 40b applied signal values read back. It checks whether, as expected, at least one of the read back ports 39a . 39b respectively. 40a . 40b an active signal state ("1") is present.

Represents the module 81 respectively. 82 on the other hand, it is determined that the respective reception repetition _timer t _S1 or t _{S2 has} expired, the module activates 81 a subsequent module 85 or the module 82 a subsequent module 86 , Through the respective module 85 respectively. 86 become the assigned ports 39a . 39b respectively. 40a . 40b reset to a passive output value ("0"). For safety reasons, the module 85 respectively. 86 the signal state at the respectively controlled ports 39a . 39b respectively. 40a . 40b read back to check if the signal state reset was successful.

When activating the module 84 this also gives the external comparator module 41 free. Through the alternative module 86 in contrast, the comparator module 41 blocked.

By subsequent modules 87 and 88 the software paths 37 respectively. 38 is finally checked, whether by the modules 83 to 86 read back signal values are in accordance with expectations. If necessary, by re-activation of the module 70 the flowchart according to 5 restarted. Represents one of the modules 87 or 88 a read error, it calls a corresponding error handling routine 89 on.

As long as no new data from the sink unit 17 are received, the module calls 70 directly the modules 81 and 82 on, so that through the modules 70 such as 81 to 88 defined program loop is executed continuously.

The software paths 37 and 38 are again designed to increase the transmission reliability independent and diverse.

Claims (18)

Method for safety-related wireless signal transmission, in which an input signal (S _E ) is duplicated and each copy (S _K1 , S _K2 ) of the duplicated input signal (S _E ) within a source unit ( 16 ) on a separate, independent software path ( 29 . 30 ) a transmitter module ( 25 ), in which all copies (S _K1 , S _K2 ) from the transmitter module ( 25 ) via a common wireless transmission link ( 13 ) to a receiver module ( 25 ) a sink unit ( 17 ), in which within the sink unit ( 17 ) each transmitted copy (S _K1 , S _K2 ) separately on an independent software path ( 37 . 38 ) a comparator module ( 41 ), and - in which by means of the comparator module ( 41 ) the output copies (S _K1 , S _K2 ) are tested for their consistency, whereby in the case of consistency by the comparator module ( 41 ) the copies (S _K1 , S _K2 ) corresponding output signal (S _A ) is generated. Method according to claim 1, characterized in that each copy (S _K1 , S _K2 ) of the input signal (S _E ) in the associated source-side software path (S 29 . 30 ) is secured by generating an associated check information (I _K1 , I _K2 ), and that the copy (S _K1 , S _K2 ) after transmission to the sink unit ( 17 ) in the associated sink-side software path ( 37 . 38 ) is tested for transmission errors on the basis of the test information generated on the source side (I _K1 , I _K2 ). Method according to claim 1 or 2, characterized in that within the source unit ( 16 ) from the different software paths ( 37 . 38 ) supplied copies (S _K1 , S _K2 ) for common transmission to the sink unit ( 17 ) in a transmission frame (R). Method according to Claim 3, characterized in that the transmission frame (R) in the source unit ( 16 ) is secured by generating an associated check information (I _R ). Method according to one of claims 1 to 4, characterized in that a plurality of sub-signals (S1, S2) comprehensive input signal (S _E ) is duplicated such that a first copy (S _K1 ) and at least one further copy (S _K2 ) the various Partial signals (S1, S2) of the input signal (S _E ) in different order. Contraption ( 15 ) for safety-related wireless signal transmission, with a source unit ( 16 ) and one with this via a wireless transmission link ( 13 ) connected sink unit ( 17 ), - the source unit ( 16 ) a host controller ( 24 ), in which at least two independent software paths ( 29 . 30 ) for separately feeding a respective copy (S _K1 , S _K2 ) of a duplicated input signal (S _E ) to a common transmitter module ( 25 ) - the sink unit ( 17 ) a host controller ( 24 ), in which at least two independent software paths ( 37 . 38 ) for the separate output of each one of the by means of a common receiver module ( 25 ) received copies (S _K1 , S _K2 ) to a downstream comparator module ( 41 ), and - wherein the comparator module ( 41 ) is designed to test the output copies (S _K1 , S _K2 ) for consistency, and in the consistency case to produce the copies (S _K1 , S _K2 ) corresponding output signal (S _A ). Contraption ( 15 ) according to claim 6, characterized in that each source-side software path ( 29 . 30 ) is adapted to secure the associated copy (S _K1 , S _K2 ) of the input signal (S _E ) by generating associated check information (I _K1 , I _K2 ), and that each sink-side software path ( 37 . 38 ) is designed to check the assigned copy (S _K1 , S _K2 ) on the basis of the test information generated on the source side (I _K1 , I _K2 ) for transmission errors. Contraption ( 15 ) according to claim 6 or 7, characterized in that the input signal (S _E ) the source-side host controller ( 24 ) by means of at least one signal channel ( 19 . 20 ) comprehensive signal line ( 18 ), wherein for duplication of the input signal (S _E ) the or each signal channel ( 19 . 20 ) with one port each ( 39a . 39b . 40a . 40b ) of each software path ( 29 . 30 ) connected is. Contraption ( 15 ) according to claim 8, characterized in that the signal line ( 18 ) a plurality of each a sub-signal (S1, S2) of the input signal (S _E ) leading signal channels ( 19 . 20 ) in different order with ports ( 39a . 39b ) of a first software path ( 29 ) and corresponding ports ( 40a . 40b ) of a second software path ( 30 ) are connected. Contraption ( 15 ) according to one of claims 6 to 9, characterized in that the comparator module ( 41 ) is designed as a hardware comparator. Contraption ( 15 ) according to one of claims 6 to 10, characterized in that the comparator module ( 41 ) is designed to output in the inconsistency case a si chere state inducing output signal (S _A ). Contraption ( 15 ) according to one of claims 6 to 11, characterized in that the source unit ( 16 ) and the sink unit ( 17 ) one controller board each ( 23 ) containing the host controller ( 24 ) as well as the transmitter module ( 25 ) or receiver module ( 25 ) contains. Contraption ( 15 ) according to claim 12, characterized in that as a transmitter module or receiver module designed as a combined transmitting / receiving component radio module ( 25 ) is used. Contraption ( 15 ) according to claim 13, characterized in that the source unit ( 16 ) or the sink unit ( 17 ) associated controller boards ( 23 ) are identical in terms of their electronic design. Contraption ( 15 ) according to claim 13 or 14, characterized in that the radio module ( 25 ) is designed as a Bluetooth module. Contraption ( 15 ) according to one of claims 6 to 15, characterized by the or each host controller ( 24 ) associated monitoring module ( 26 ), which is designed to ensure the proper functioning of the host controller ( 24 ) based on a monitoring module ( 26 ) by the host controller ( 24 ) to monitor transmitted periodic trigger signal (T), and the host controller ( 24 ) to reset to a defined initial state in the event of an error. Contraption ( 15 ) according to one of claims 6 to 16, characterized in that the sink unit ( 17 ) a monitoring module ( 43 ), which is designed to ensure the proper functioning of the associated host controller ( 24 ) based on a monitoring module ( 43 ) by the host controller ( 24 ) to monitor the transmitted periodic trigger signal (T), and in the event of an error, the comparator module ( 41 ) directly to the output of a safe state inducing output signal (S _A ) to control. Contraption ( 15 ) according to one of claims 6 to 17, characterized in that each software path ( 29 . 30 . 37 . 38 ) at least one software module ( 50 - 53 . 74 - 88 ), wherein at least two mutually functionally corresponding software modules ( 50 . 52 ; 51 . 53 ; 74 . 75 ; ...) parallel software paths ( 29 . 39 ; 37 . 38 ) are executed differently.